[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Sharing SAs in the multi-sender environment
Perhaps you could explain why you want/need this functionality?
If it's for multicast, see Steve's response below. OTOH, if it's for
unicast why won't two separate, but parallel, IPSec tunnels between
(two separate) security gateways work?
-shane
On Wed, Feb 14, 2001 at 10:54:50AM -0500, Stephen Kent wrote:
> At 1:46 PM +0200 2/14/01, juha.ollila@nokia.com wrote:
> > Hello!
> >
> >Is there any standardized or non-standardized way to share a single SA in
> >the multi-sender environment? There are some problems (e.g. lack of
> >anti-replay protection) with sharing SAs between several senders, but
> >sharing SAs could be useful if there are several security gateways in the
> >same security or administrative domain. Is there any problem with sharing a
> >single SA between several receivers? Would someone help me with this issue?
> >Thanks in advance.
> >
>
> Senders do not share unicast SAs: the keying material for an SA is
> assumed to be private to the end points of the SA, and we have no
> means of securely sharing keys among multiple originators. Also, as
> you noted, each sender is REQUIRED to send a "one-up" sequence
> number, which they cannot do without some magic coordination. For
> receivers, the problem is even harder, because receivers not only
> would need to share the keys, but also would need to coordinate SA
> SPIs, which are receiver controlled, and sequence number management.
>
> Multicast will need to address these problems. Look to that WG to
> propose solutions, e.g., MESP.
>
> Steve
References: